What is a .env File?
4 min read · Configuration
The short answer
A .env file(pronounced "dot env") is a plain text file that stores environment variables as KEY=value pairs. Applications read these values at startup instead of having them hardcoded in the source code.
A typical .env file looks like this:
DATABASE_URL=postgresql://user:pass@localhost:5432/mydb API_KEY=sk-abc123xyz PORT=3000 NODE_ENV=development DEBUG=false
Why not just hardcode values?
Hardcoding secrets in source code is a serious security risk. If you commit a database password or API key to a public repository, it is permanently exposed — even if you delete it in a later commit, it remains in the git history.
Environment variables solve this by keeping secrets outside the codebase:
- Each developer has their own
.envwith their local credentials - Production uses environment variables injected by the deployment platform
- The
.envfile is listed in.gitignoreand never committed
.env file syntax
The format is simple with a few rules:
# Comments start with a hash KEY=value # No spaces around = QUOTED="hello world" # Quotes allow spaces EMPTY= # Empty value is allowed MULTIWORD=one two # No quotes needed for this
- No spaces around the
=sign - Quotes are optional but needed for values with spaces
- Lines starting with
#are comments - Variables are usually uppercase by convention
Loading .env in your app
In Node.js — install the dotenv package:
npm install dotenv
// At the top of your entry file:
require('dotenv').config();
// or (ESM):
import 'dotenv/config';
console.log(process.env.DATABASE_URL); // "postgresql://..."In Python — install python-dotenv:
pip install python-dotenv
from dotenv import load_dotenv
import os
load_dotenv()
print(os.getenv('DATABASE_URL'))In Next.js — built-in support, no package needed. Files named .env, .env.local, .env.production are loaded automatically.
Common .env file variants
.env — base defaults
Shared defaults that apply to all environments. Safe to commit if it contains no secrets (use placeholder values).
.env.local — local overrides
Machine-specific values. Always in .gitignore. Takes priority over .env.
.env.example — template
A committed file showing which variables are required, with empty or fake values. New developers copy this to .env.local to get started.
.env.production — production config
Production-specific values. Usually these come from the hosting platform (Vercel, Railway, AWS) rather than a file.
Best practices
- Always add
.envand.env.localto.gitignore - Commit a
.env.examplewith all required keys but no real values - Never log environment variables — they may contain secrets
- Rotate any secret that was accidentally committed immediately
- In production, use your platform's secrets manager instead of .env files on disk
- Validate required environment variables at startup so your app fails fast with a clear error
Convert between .env and JSON
Paste your .env variables and convert them to JSON, or import JSON config and export as .env format.